FACEBOOK SECURITY GUIDE: APPLICATION SECURITY ISSUES, SETTINGS, TIPS

Since its launch in 2004, Facebook has become the world’s leading social networking site, with 901 million active users and over 9 million applications integrated with its platform.1 Unfortunately, this explosion in popularity has also increased the security threats facing users. Staying secure on Facebook is dependent on both users and developers. Users need to be educated on current Facebook security issues so that they can recognize and avoid malicious content. Facebook application developers have to take measures when writing apps to ensure that users’ remain protected from things like data theft and malware.

Facebook Security Tips for Users

When it comes to the application level, there are several measures users can take to reduce Facebook security issues. For starters, users should regularly review and maintain the apps they have installed on their accounts. This can be done by clicking “Edit Settings” for Ads, Apps, & Websites on the Privacy Settings page. As a general rule of thumb, users should delete apps they no longer use or use infrequently, as these apps could still pose a threat to Facebook security. Additionally, users should delete any apps they don’t recognize and apps that don’t run correctly, as these are telltale signs of fake apps.2 The Privacy Settings page for Apps, Games, and Websites also allows users to specify how their information is shared with apps, searches, ads, and other sites. Generally speaking, the less information a user shares, the safer they are. At the bare minimum it is advisable that users do not list their mobile phone numbers or home addresses, as many apps have been found to access and collect this information.4

The next step in optimizing user Facebook security is education. Users that are wise to the current methods being used by Facebook attackers stand a much better chance of avoiding these attacks altogether. While many of these attacks are spam-related, there have also been cases linked to more serious issues such as personal data and identity theft. Many of these attacks come in the form of fake product pages, accounts, and apps.3 Users should be skeptical of any apps, messages, recommendations, invitations, pages, or posts that contain questionable content, such as offers that seem too good to be true, unsolicited contact from unfamiliar users, and duplicate versions of apps or pages. Fortunately, Facebook security software will automatically lock, scan, and repair an account that has become infected with malware.6

Facebook Security for Application Developers

Facebook application security is largely dependent on the security practices used by developers. The Facebook Developer App provides developers with a platform for securing their applications through a variety of settings. In order to securely test apps, developers can use “Sandbox Mode” to allow for application testing while keeping apps hidden from all users except a specified set of testers. There are four different roles developers can assign to testers, each with different levels of permissions. In order to protect apps from being taken over by malicious parties, Facebook allows developers to create whitelists that only allow specified IP addresses to change application settings or make API calls. As a precautionary measure, Facebook notifies developers any time their app is modified to ensure that their apps aren’t being edited without their knowledge.5 Finally, Facebook security software includes tools for detecting and blocking bad links, scanning code for cross-site scripting, and additional protection against clickjacking and account takeovers.7

Cookie Use

We use cookies to collect information to help us personalise your experience and improve the functionality and performance of our site. By continuing to use our site [without first changing your browser setting], you consent to our use of cookies. For more information see our cookies policy.

Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.